Digital Identity Trust Framework
The Digital Identity Trust Framework is a regulatory framework that will set out rules for the delivery of digital identity services.
The trust framework will address gaps in regulation and assist the development of trusted, people-centred digital identity services.
The framework applies to service, technology and information providers.
Drafting the Trust Framework Bill
The Digital Identity Trust Framework Bill provides the legal mechanism for establishing the trust framework.
In July 2020, Cabinet agreed to establish the Digital Identity Trust Framework in legislation.
In February 2021, Cabinet approved policy proposals that underpin the Digital Identity Trust Framework, including the establishment of an Accreditation Authority and Governance Board.
The Bill aims to promote the provision of secure and trusted digital identity services that meet essential minimum requirements for security, privacy, identification management and interoperability. It also aims to support community resilience and realise the wider benefits of digital identity.
In May 2021, Cabinet released detailed policy information about the Bill’s development.
In September 2021, the Bill was introduced into Parliament, and the proposed new law’s progress through the legislative stages can be tracked via the New Zealand Parliament website.
Digital Identity Services Trust Framework Bill — New Zealand Parliament, Pāramata Aoteoroa
The aims of the Bill
The intention is for the Bill to establish:
- a governance board as a public service authority within a public service department
- an accreditation authority within a public service department
- a liability framework subject to the development of the rules
- the offences and penalties for the Trust Framework
- infringement notices, provided through primary legislation
- the accreditation authority′s ability to recover costs
- a disputes resolution process.
Developing the draft Digital Identity Trust Framework rules
The rules apply minimum requirements across 5 categories:
- Identification management — defining how a user can be identified and authenticated so that they may have access to systems and services.
- Information and data management — defining how information is administered and determining the use, management, and protection of data.
- Security and risk management — reducing and mitigating risks relating to the creation and sharing of information in a digital manner.
- Privacy requirements — includes the incorporation of requirements under the Privacy Act 2020.
- Sharing and facilitation requirements — includes consideration of the consent and delegation models to be used.
The rules will focus on incorporating existing standards and requirements that need to be met to provide a trusted environment for those operating within the digital identity system.
A development and testing group of public and private membership, and including Māori partners, is providing feedback on initial draft rules.
Te Ao Māori and Te Tiriti o Waitangi perspectives and requirements will be embedded in each category.